A flaw in the Tor browser may have leaked user IP addresses. Photo: The Tor Project, Inc./Wikimedia Commons

Users of the popular, privacy-focused Tor Browser may not have enjoyed the level of anonymity they expected out of the anonymous web browser. A flaw was recently discovered in the Tor Browser, which may have leaked the real IP addresses of users.

The vulnerability affects Tor users operating on Apple’s desktop macOS operating system and Linux. A patch has already been made available for the problem, though users who have not yet updated are still at risk.

The issue stems from Tor Browser version 7.0.8 for the two affected operating systems, which contains the vulnerability that was first discovered on Oct. 26 by researchers at Italian security and ethical hacking company We Are Segment.

The problem is caused by an issue in Firefox, the browser that provides the primary framework for Tor. An issue with how the browser handles URLs can result in the IP address of an individual user to leak, potentially exposing information about their location. The researchers dubbed the issue the TorMoil bug.

“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser,” the researchers wrote of the flaw.

An IP address is an identifying number assigned to each device online and allows the host to communicate directly with the device. Having that detail leak online is particularly problematic for the privacy-minded users who use the Tor Browser, as the address can reveal details such as a person’s physical location and what network they are connected to.

Once the issue was disclosed, the team at Tor worked with Mozilla, the makers of the Firefox browser, to create a fix. A partial patch was developed on Oct. 31, just five days after the bug was discovered, and issued for users on Nov. 3.

“The fix we deployed is just a workaround stopping the leak,” researchers at Tor said, acknowledging the issue. “As a result of that navigating file:// URLs in the browser might not work as expected anymore. In particular entering file:// URLs in the URL bar and clicking on resulting links is broken. Opening those in a new tab or new window does not work either. A workaround for those issues is dragging the link into the URL bar or on a tab instead.”

A more permanent patch is said to be on the way for users exposed to the TorMoil vulnerability and likely to be available on November 6. Users of the Tor Browser for MacOs and Linux will have to download the update to version 7.0.9 to make sure they are clear of the issue. Windows users remain unaffected by the bug and won’t require a security patch or update.

It’s unclear if the TorMoil issue first appeared in the browser with version 7.0.8 or if it has been present for longer. As such, all users of Tor for the affected operating systems are advised to upgrade to the latest version of the browser with the fix once it is made available.